CVE-2019-19118
published 2019-12-02CVE-2019-19118: Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has…
PriorityP434medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
1.66%
73.7th percentile
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 2:2.2.8-1 (bookworm) | python-django 2:2.2.8-1 (bookworm) |
| djangoproject | django | >= 2.1 < 2.1.15 | 2.1.15 |
| djangoproject | django | >= 2.1 < 2.1.15 | 2.1.15 |
| djangoproject | django | >= 2.2 < 2.2.8 | 2.2.8 |
| djangoproject | django | >= 2.2 < 2.2.8 | 2.2.8 |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Django allows unintended model editing
ghsa·2019-12-04
CVE-2019-19118 [HIGH] CWE-276 Django allows unintended model editing
Django allows unintended model editing
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)
OSV
Django allows unintended model editing
osv·2019-12-04
CVE-2019-19118 [HIGH] Django allows unintended model editing
Django allows unintended model editing
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)
OSV
CVE-2019-19118: Django 2
osv·2019-12-02·CVSS 6.5
CVE-2019-19118 [MEDIUM] CVE-2019-19118: Django 2
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)
Red Hat
django: privilege escalation in the django admin
vendor_redhat·2019-12-02·CVSS 6.5
CVE-2019-19118 [MEDIUM] CWE-285 django: privilege escalation in the django admin
django: privilege escalation in the django admin
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)
Statement: The version of Django shipped with Red Hat Gluster Storage 3, R
Debian
CVE-2019-19118: python-django - Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A...
vendor_debian·2019·CVSS 6.5
CVE-2019-19118 [MEDIUM] CVE-2019-19118: python-django - Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A...
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)
Scope: local
bookworm: resolved (fixed in 2:2.2.8-1)
bullseye: resolved (fixed in 2:2.2.8-1)
forky: resolved (fixed in 2:2.2.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-19118 django: privilege escalation in the django admin
bugzilla·2019-12-09·CVSS 6.5
CVE-2019-19118 [MEDIUM] CVE-2019-19118 django: privilege escalation in the django admin
CVE-2019-19118 django: privilege escalation in the django admin
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)
Reference:
https://www.openwall.com/lists/oss-security/2019
Bugzilla
CVE-2019-19118 python-django: django: privilege escalation in the django admin [epel-8]
bugzilla·2019-12-09·CVSS 6.5
CVE-2019-19118 [MEDIUM] CVE-2019-19118 python-django: django: privilege escalation in the django admin [epel-8]
CVE-2019-19118 python-django: django: privilege escalation in the django admin [epel-8]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-8.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for
Bugzilla
CVE-2019-19118 python-django: django: privilege escalation in the django admin [epel-7]
bugzilla·2019-12-09·CVSS 6.5
CVE-2019-19118 [MEDIUM] CVE-2019-19118 python-django: django: privilege escalation in the django admin [epel-7]
CVE-2019-19118 python-django: django: privilege escalation in the django admin [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for
Bugzilla
CVE-2019-19118 python-django: django: privilege escalation in the django admin [openstack-rdo]
bugzilla·2019-12-09·CVSS 6.5
CVE-2019-19118 [MEDIUM] CVE-2019-19118 python-django: django: privilege escalation in the django admin [openstack-rdo]
CVE-2019-19118 python-django: django: privilege escalation in the django admin [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
This CVE does not i
Bugzilla
CVE-2019-19118 django:1.6/python-django: django: privilege escalation in the django admin [fedora-all]
bugzilla·2019-12-09·CVSS 6.5
CVE-2019-19118 [MEDIUM] CVE-2019-19118 django:1.6/python-django: django: privilege escalation in the django admin [fedora-all]
CVE-2019-19118 django:1.6/python-django: django: privilege escalation in the django admin [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects mu
Bugzilla
CVE-2019-19118 python-django: django: privilege escalation in the django admin [fedora-all]
bugzilla·2019-12-09·CVSS 6.5
CVE-2019-19118 [MEDIUM] CVE-2019-19118 python-django: django: privilege escalation in the django admin [fedora-all]
CVE-2019-19118 python-django: django: privilege escalation in the django admin [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supp
Bugzilla
CVE-2019-19118 python2-django1.11: django: privilege escalation in the django admin [fedora-all]
bugzilla·2019-12-09·CVSS 6.5
CVE-2019-19118 [MEDIUM] CVE-2019-19118 python2-django1.11: django: privilege escalation in the django admin [fedora-all]
CVE-2019-19118 python2-django1.11: django: privilege escalation in the django admin [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
http://www.openwall.com/lists/oss-security/2019/12/02/1https://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21topic/django-announce/GjGqDvtNmWQhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/https://security.gentoo.org/glsa/202004-17https://security.netapp.com/advisory/ntap-20191217-0003/https://www.djangoproject.com/weblog/2019/dec/02/security-releases/http://www.openwall.com/lists/oss-security/2019/12/02/1https://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21topic/django-announce/GjGqDvtNmWQhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/https://security.gentoo.org/glsa/202004-17https://security.netapp.com/advisory/ntap-20191217-0003/https://www.djangoproject.com/weblog/2019/dec/02/security-releases/
2019-12-02
Published